Pointer in the correct direction...

Hi, would someone please give me a pointer in the correct direction?

I would like to think that I'm a fairly experienced Linux IPTables user, but I am a novice when it comes to Cisco IOS and NATing. I have a Cisco Catalyst 5000 Route Switch Module (based on the 7000? router) that I would like to configure some more than basic NATing on. I have the router configured to do NATing between my private home LAN and the internet (DSL) connection. With my ISP's permission, I'm wanting to port forward port 119 on my external IP to my ISP's news server for one specific IP on the net (my office). Before you start to say that I should just connect to the IP in question directly, I can not because it is firewalled from the world in general. Before you start to say that I should not try to circumvent the firewall, I *HAVE* spoken to my ISP and gotten permission (in writing) to do what I'm wanting to do for ONLY my controlled IP at the office.

In Linux IPTables this would be as simple as the following two rules:

(Presuming that the traffic is not filtered elsewhere.)

iptables -t nat -A PREROUTING -i $WAN -s $WorkIP -d $WANIP -p TCP --dport

119 -j DNAT --to-destination $NewsServerIP iptables -t nat -A POSTROUTING -o $WAN -s $WorkIP -d $NewsServerIP -p TCP

--dport 119 -j SNAT --to-source $WANIP

So the question is, how would I do this type of thing with Cisco IOS's NAT stack. Is this possible? Below you will find the output of "show version", which I think should tell you what you need to know about the router in question. If there is something else that you need to know pleas ask.

What I would really love is for someone that knows Cisco IOS & NATing very well to point me in the direction of some good documentation and then be willing to answer a few questions after I do some more homework.

tncrtr02-gw#show version Cisco Internetwork Operating System Software IOS (tm) C5RSM Software (C5RSM-IO3SV56I-M), Version 12.1(2), RELEASE SOFTWARE (fc1) Copyright (c) 1986-2000 by cisco Systems, Inc. Compiled Wed 10-May-00 19:19 by linda Image text-base: 0x60010908, data-base: 0x61100000

ROM: System Bootstrap, Version 11.2(17523) [mohsen 102], INTERIM SOFTWARE BOOTFLASH: C5RSM Software (C5RSM-BOOT-M), Version 12.0(21a), RELEASE SOFTWARE (fc1)

tncrtr02-gw uptime is 4 weeks, 1 day, 1 hour, 16 minutes System returned to ROM by reload System image file is "slot0:c5rsm-io3sv56i-mz.121-2.bin"

cisco RSP2 (R4700) processor with 131072K/2072K bytes of memory. R4700 CPU at 100Mhz, Implementation 33, Rev 1.0 Last reset from power-on G.703/E1 software, Version 1.0. G.703/JT2 software, Version 1.0. X.25 software, Version 3.0.0. Bridging software.

1 C5IP controller (4 Vlan). 3 Virtual Ethernet/IEEE 802.3 interface(s) 1 Virtual Token Ring/IEEE 802 .5 interface(s) 123K bytes of non-volatile configuration memory.

20480K bytes of Flash PCMCIA card at slot 0 (Sector size 128K).

8192K bytes of Flash internal SIMM (Sector size 256K). Configuration register is 0x10F

Thank you, and have a nice day. :)

Grant. . . .

Reply to
Taylor, Grant
Loading thread data ...

You should ask in comp.dcom.sys.cisco

You could possibly do what you want by using an ip nat inside destination applied to the outside interface, and ip nat outside source applied to the same interface

I haven't configured enough IOS NAT to be certain on the exact sequence you would need (I've concentrated on Cisco PIX.)

At worst case it would be a destination nat, a routing (possibly a policy based routing) to a loopback interface, and then a source nat out the outside. Possibly another routing to get the return traffic into the loopback interface to go back out again to the original host.

Often a situation such as yours would be solved by creating a tunnel between your office and your home system; your Cat5000 RSM is likely to support at least GRE tunnels, but possibly not IPSec.

Another solution is to toss a squid proxy onto one of your home boxies. Then all you need to do is put on a filter to control access to that port, and put in static PAT (port address translation) to forward from your public IP to your internal host.

Reply to
Walter Roberson

Thank you for the info. I have re-posted my question there.

Hum,

You and most of my colleagues as well. :) I unfortunately do not have a PIX to play with.

Ugh.

I have not considered a tunnel because the system in question that will be connecting is a server at my office directly on the net, which does not have tunneling support.

Indeed.

Walter, thank you for your insightful reply. I'll see if I can't glean more information where you have directed me.

Grant. . . .

Reply to
Taylor, Grant

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.